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FIG. 2 shows aspects of the operation of the structure of FIG. 1 . 

DETAILED DESCRIPTION 

The present invention provides an improved system and method for detecting the presence of a 
drone or zombie implanted in a network connected host device by a vandal, and controlling the 
5 output of the drone in order to prevent damage to its host or to the vandal's target. 

FIG. 1 shows structural aspects of an exemplary embodiment of the present invention. In FIG. 1, 
a network connected device 100 is connected to a communication network such as the Internet 
1 10. The network connected device 100 may be a computer or related device, for example a 
personal computer, a server, and so forth. A vandal 120 may implant a zombie or drone 105 in 
10 the network connected device 100. The purpose of the drone 1 05 is to launch a denial of service 
(DoS) attack or a portion of a distributed denial of service attack (DDoS) against a target 125, 
which may also be connected to the Internet 110 or other communication network. 

The network connected device 100 is protected by an inbound intrusion detection system (IDS) 
130, an outbound IDS 135, and a blocker 140 such as a firewall, network router, load balancer, 
15 and so forth. The outbound IDS 1 35 may be a special purpose device, or may be a conventional 
IDS similar in kind to the inbound IDS 130, but configured to observe outbound traffic rather 
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135, and so forth. The inbound trace log 145 and the outbound trace log 1 50 may be separate or 
combined, and may be stand-alone or included within the inbound EDS 130, the outbound EDS 
135, the blocker 140, the network connected device 100, and so forth. Also, the various 
connections shown n FIG. 1 may be made through intermediaries without departing from the 
5 scope of the invention. For example, the inbound trace log 145 may be fed from the inbound IDS 
135, or from the blocker 140, or from the network connected device 100 rather than connected 
directly to the Internet 1 10, and likewise for the outbound trace log 150. 

FIG. 2 shows aspects of the method of operation of the present invention, with reference to the 
exemplary structure of FIG. 1. As shown in FIG. 2, the outbound IDS 135 observes outbound 

10 traffic, awaiting the appearance and detection of outbound drone traffic, such as outbound DoS 
or DDoS traffic from the drone 105 (step 200). Outbound drone traffic may be detected by its 
signature, for example according to the entries of the Common Vulnerabilities and Exposures 
(CVE) list sponsored by MITRE Corporation f http://www.c ve.mitre.org/). When outbound 
drone traffic is not detected, the method continues to await the detection of outbound drone 

15 traffic (step 200). 

Otherwise (i.e., outbound drone traffic is detected), the outbound EDS 135 sends a security alert 
to the network administrator 160 (step 205) and determines the destination address of the 
outbound drone traffic (step 210). The detection of outbound drone traffic and the sending of the 
security alert may be contingent upon more than one occurrence of a signature, as determined by 
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1 7. A system for detecting and controlling a drone implanted in a network connected device such 

2 as a computer, the system comprising: 

3 an outbound intrusion detection system for detecting outbound denial of service traffic 

4 from a drone implanted in a network connected device and providing notice when the outbound 

5 denial of service traffic is detected; 

6 an outbound trace log for storing a trace of outbound traffic from the network connected 

7 device; 

8 an inbound trace log for storing a trace of inbound traffic to the network connected 

9 device; 

10 a correlator for correlating the outbound trace log and the inbound trace log and deducing 

1 1 a source ID of an inbound message responsible for triggering the outbound denial of service 

12 traffic; and 

! 3 a blockgr ^responsiveto the notice provided by the outbound intrusion detection system, 

14 for blocking inbound traffic that bears the source ID and blocking the outbound denial of service 

15 traffic. 
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nected device, and thwarting the drone before it can damage similar in kind to the iabound IDS 130, but configured to 
either its host or the vandal's target. observe outbound traffic rather than inbound traffic. 

Inbound traffic flows from the Internet 110, through the 
SUMMARY blocker 140, to the network connected device 100. Out- 

5 bound traffic flows from the network connected device 100, 
The present invention provides an improved system and through the blocker 140, to the Internet 110. The inbound 
method for detecting the presence of a drone or zombie traffic may include an inbound message from the vandal 120 
implanted stealthily in a network connected host device, and to the drone 105, responsible for triggering outbound drone 
controlling the output of the drone in order to prevent traffic, for example outbound denial of service (DoS or 
damage to its host or to a vandal's target. 10 DDoS) traffic intended to attack the target 125. 

According to the present invention, a network connected As shown > D FIG. 1, an inbound trace log 145 keeps a 
device is protected by an inbound intrusion detection sys- record of inbound traffic over a predetermined fame wmdow, 
tern, an outbound intrusion detection system, a blocker such ^ an outbound trace log 150 likewise keeps a record of 
as a firewall, an inbound trace log for storing a trace of outbound traffic. A correlator 155, whose operation .s 
inbound traffic to the protected device, an outbound trace log 15 described m detail below, accesses thejnbound trace fog 
for storing a trace Outbound traffic from the protected 145 ^d^ g J*^*- 



device, and a correlator. When the outbound intrusion detec- 
tion system detects the triggering of a drone by the presence 



outbound IDS 135, and the blocker 140. The inbound IDS 
130, the outbound IDS 135, and the correlator 155 may send 



BRIEF DESCRIPTION OF THE DRAWINGS 



of outbound DDoS traffic, the outbound intrusion detection **"ruy alerts to a network administrator 160, which may he 
system instructs tie blocker to block the outbound DDos 20 human, or automated, or a combination thereof, 
traffic. The correlator then recalls the outbound trace log and . It is important to Dote that the exemplary structure of the 
the inbound trace log, correlates one log with the other, and invention shown in FIG. 1 is illustrative rather than limiting 
thereby deduces a source ID of a message responsible for Once taught the present invention, those skilled in ffie art 
triggering the drone. The correlator then instructs the ^ P™P°se other configurations equivalent to that shown 
blo7k e r?a block any further incoming messages that bear *> FIG. 1- For example, the correlator 155 may be stand- 
mis source ID alone logic such as a microprocessor, or may be imple- 
Consequently, the DDoS activity of the drone may be farted « » ft *"*f ™^ * ^tb^S 
detected^ ombound DDoS traffic may be blocked before ^ ™i <* b ^ " " r J^ f ^Ztaul 
a-, j *u „„j„i.„ , „„a ,„,. fi,„w 130, or by the outbound IDS 135, and so forth. lhe inbound 
tt tnfhcts damage oate^sU^^ ^ e ZSnd *> trace tog 145 and the outbound trace log 150 may be 
triggering messages from the vandal may be mte^ptedand separate or combined, and may be stand-alone or included 

35 through intermediaries without departing from the scope of 
the invention. For example, the inbound trace log 145 may 
be fed from the inbound IDS 135, or from the blocker 140, 
r-,^ , t. . r ,i „r p^ni™ or f rom the network connected device 100 rather than 

FIG 1 shows aspects of the structure of an exemplary to ^ lnteraet 110j mA likewise for ^ 

embodiment of the present invention. m 01)tbound ^ 150 . 

FIG. 2 shows aspects of the operation of the structure of FIG 2 snQws of th e rae( hod 0 f opera tion of the 

FIG. 1 . present invention, with reference to the exemplary structure 

of FIG. 12. As shown in FIG. 2, the outbound IDS 135 
DETAILED DESCRIPTION obseTvero"utbound traffic, awaiting the appearance and 

45 detection of outbound drone traffic, such as outbound DoS 
The present invention provides an improved system and or DDoS traffic from the drone 105 (step 200). Outbound 
method for detecting the presence of a drone or zombie < j rone traffic may be detected by its signature, for example 
implanted in a network connected host device by a vandal, according to the entries of the Common Vulnerabilities and 
and controlling the output of the drone in order to prevent Exposures (CVE) list sponsored MITRE Corporation (http:// 
damage to its host or to th e visual' s target. 50 www.cve.nutre.org/). When outbound drone traffic is not 

FIG. 1 shows structural aspects of the an exemplary detected, the method continues to await the detection of 
embodiment of the present invention. In FIG. 1, a network outbound drone traffic (step 200). 

connected device 100 is connected to a communication Otherwise (i.e., outbound drone traffic is detected), the 
network such as the Internet 110. The network connected outbound IDS 135 sends a security alert to the network 
device 100 may be a computer or related device, for example 55 administrator 160 (step 205) and determines the destination 
a personal computer, a server, and so forth. A vandal 120 address of the outbound drone traffic (step 210). The detec- 
may implant a zombie or drone 105 in the network con- tj 0 n of outbound drone traffic and the sending of the security 
uected device 100. The purpose of the drone 105 is to launch a] er t m ay be contingent upon more than one occurrence of 
a denial of service (DoS) attack or a portion of a distributed a signature, as determined by the parameters of the outbound 
denial of service attack (DDoS) against a target 125, which 50 IDS 135. The outbound IDS 135 or the network adminis- 
may also be connected to the Internet 110 or other commu- trator 160 then instructs the blocker 140 to block the 
nication network. outbound drone traffic (step 2 1 5), for example by instructing 

The network connected device 100 is protected by an the blocker 140 to block passage of outbound traffic to the 
inbound intrusion detection system (IDS) 130, an outbound destination address that represents the target 125 as deter- 
IDS 135, and a blocker 140 such as a firewall, network 65 mined by the outbound IDS 135 (in step 210). 
router, load balancer, and so forth. The outbound IDS 135 be The outbound IDS 135 then provides notice of the out- 
a special purpose device, or may be a conventional IDS bound drone traffic and the destination address that repre- 
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sents the target 125 to the correlator 155 (step 220). The 
correlator 155 fetches the inbound trace Jog 145 and the 
outbound trace log ISO (step 225), and correlates the 
inbound trace log 145 with the outbound Irace log 150 in 
order to deduce the source ID of the sender of an inbound 
message to the drone 105 from the vandal 120 (step 230). 
Here, the term "source ID" is used broadly, and is not limited 
to IP addresses; rather, a source ID may also be an address 
derived from an IP address, an application level address or 
an address derived from an application level address, and so 
forth. This inbound message may be an inbound message 
from the vandal 120 responsible for triggering the outbound 
drone traffic from the drone 105. The correlator 155 may 
perform correlation by identifying a match between various 
components of a signature in the CVE list mentioned earlier, 
or by searching the inbound trace log 145 for an inbound 
message that includes the address of the target 125. This 
inbound message is likely to be the inbound message 
responsible for triggering the outbound drone traffic from 
the drone 105; consequently, the source ID of this inbound 
message is likely lo be the source ID of the vandal 120. 

The correlator 155 then sends a security alert to the 
network administrator 160 identifying the source ID of the 
vandal 120 (step 235), and the correlator 155 or the network 

administrator 160 instructs the hlocker 140 to block passage 25 implanted in a network connected device such 
of any further inbound traffic that bears the source ID of the puter, the system comprising: 



bound drone traffic to the correlator, and the correlator 
searches the incoming trace log for an inbound message that 
includes the destination address. 

7. A system for detecting and controlling a drone 
implanted in a network connected device such as a com- 
puter, the system comprising: 

an outbound intrusion detection system for detecting 
outbound denial of service trafiic from a drone 
implanted in a network connected device and providing 
notice when the outbound denial of service traffic is 
detected; 

an outbound trace log for storing a trace of outbound 

trafiic from the network connected device; 
an inbound trace log for storing a trace of inbound trafiic 

to the network connected device; 
a correlator for correlating the outbound trace log and the 
inbound trace log and deducing a source ID of an 
inbound message responsible for triggering the out- 
bound denial of service traffic; and 
a blocker, ajpejponsive to the notice provided by the 
outboundinnTision detection system, for blocking 
inbound traffic that bears the source ID and blocking 
the outbound denial of service traffic. 
S. A system for detecting and controlling a drone 



p 240). The method 
detection of outbound drone traffic (step 200). After an 
appropriate time, or upon cessation of outbound drone 
traffic, the inbound and outbound blocks may be rescinded. 30 

From the foregoing description, those skilled in the art 
will appreciate that the present invention enables early 
detection of a drone implanted by a vandal in a network 
connected device, provides a way of blocking outbound 
drone traffic intended to harm a target device, and further 35 
provides a way to block subsequent inbound messages from 
the vandal intended to re-start the drone. The foregoing 
description is illustrative rather than limiting, however, and 
the present invention is limited only by the following claims. 
We claim; 

1. A system for detecting and controlling a drone 
implanted in a network connected device such as a com- 
puter, the system comprising: 

an outbound intrusion detection system for detecting 
outbound drone traffic from a drone implanted in a 45 
network connected device and providing notice when 
the outbound drone traffic is detected; 

a blocker for blocking the outbound drone traffic respon- 
sive to the notice provided by the outbound intrusion 
detection system; 50 

an outbound trace log for storing a trace of outbound 
traffic from the network connected device; 

an inbound trace log for storing a trace of inbound traffic 
to the network connected device; and 

a correlator for correlating the outbound trace log and the 55 
inbound trace log and deducing a source ID of an 
inbound message responsible for triggering the out- 
bound drone traffic. 

2. The system of claim 1, wherein the correlator instructs 
the blocker to block inbound traffic that bears the source ID. 60 

3. The system of claim 1, wherein the blocker is a firewall. 

4. The system of claim 1, wherein the blocker is a network 

5. The system of claim 1, wherein the blocker is a load 
balancer, *s 

6. The system of claim 1, wherein the outbound intrusion 
detection system provides a destination address of the out- 



outbound intrusion detection system for detecting 
outbound denial of service traffic from a drone 
implanted in a network connected device, providing 
notice when the outbound denial of service traffic is 
detected, and providing a destination address of the 
outbound denial of service traffic; 
an outbound trace log for storing a trace of outbound 

traffic from the network connected device; 
an inbound trace log for storing a trace of inbound traffic 

to the network connected device; 
a correlator for correlating the inbound trace log for an 
inbound message that includes the destination address 
of the outbound denial or service traffic and determin- 
ing a source ID of the inbound message that includes 
the destination address of the outbound denial of ser- 
vice traffic; and 
a blocker, responsive to the notice provided by the out- 
bound intrusion detection system, for bbcldng inbound 
traffic bearing the source ID and blocking the outbound 
denial of service traffic. 

9. A method for detecting and controlling a drone 
implanted iu a network connected device such as a com- 
puter, the method comprising the steps of: 

monitoring outbound traffic from a network connected 
device for outbound drone traffic; and, 

when outbound drone traffic is detected, blocking the 
outbound drone traffic and deducing a source ID of a 
message responsible for triggering the outbound drone 
traffic by correlating an inbound trace log and an 
outbound trace log. 

10. The method ofclaim 9, further comprising the step of 
blocking inbound traffic that bears the source ID. 

11. The method ofclaim 9, wherein the outbound drone 
traffic is blocked by a firewall. 

12. The method ofclaim 9, wherein the outbound drone 
traffic is blocked by a network router, 

13. The method of claim 9, wherein the outbound drone 
traffic is blocked by a load balancer. 

14. The method ofclaim 9, further comprising the step of 
determining a destination address of the outbound drone 
traffic. 



